Security Config File questions

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Security Config File questions

Michael Malgeri

Got a couple of security related questions:

1.  In the following snippet from thej2ee-secure-plan.xml file one of possibly many login modules (which are connected by a reference tag) are associated with the realm and the other block that appear above the realm

<gbean name="demo-properties-login" class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
        <attribute name="controlFlag">REQUIRED</attribute>
        <reference name="LoginModule">
            <name>demo-properties-login</name>
        </reference>
    </gbean>

Each login module has a Flag, which I see in this case is "REQUIRED"
But shouldn't each login module have the ability to take "options", which I don't see
Is there an "options"attribute? I know there is an "options" attribute in the "LoginModuleGBean" that this block is associate with, but what do you do in the case when there are multiple login modules, i.e. multiple JaasLoginModuleUse gbeans and they each can have options?

2.  In a standard JAAS config file, there are "Application blocks" that contain groups of login modules. it looks something like

App1{
Class Flag Options;
 Class Flag Options: etc}.

where each  "Class" , "Flag" and "Options" is for each login module

"What" tag/artifact/THING in the j2ee-secure-plan.xml file corresponds to "App1" in the preceeding block ?

Michael Malgeri
Mgr Gluecode Client Technical Services
PHONE: 310-536-8355 x 14
FAX: 310-536-9062
CELLULAR: 310-704-6403
Reply | Threaded
Open this post in threaded view
|

Re: Security Config File questions

David Jencks

On Jun 10, 2005, at 10:26 AM, Michael Malgeri wrote:

>
> Got a couple of security related questions:
>
> 1.  In the following snippet from thej2ee-secure-plan.xml file one of
> possibly many login modules (which are connected by a reference tag)
> are associated with the realm and the other block that appear above
> the realm
>
> <gbean name="demo-properties-login"
> class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
>         <attribute name="controlFlag">REQUIRED</attribute>
>         <reference name="LoginModule">
>             <name>demo-properties-login</name>
>         </reference>
>     </gbean>
>
> Each login module has a Flag, which I see in this case is "REQUIRED"
> But shouldn't each login module have the ability to take "options",
> which I don't see
> Is there an "options"attribute? I know there is an "options" attribute
> in the "LoginModuleGBean" that this block is associate with, but what
> do you do in the case when there are multiple login modules, i.e.
> multiple JaasLoginModuleUse gbeans and they each can have options?
>
> 2.  In a standard JAAS config file, there are "Application blocks"
> that contain groups of login modules. it looks something like
>
> App1{
> Class Flag Options;
>  Class Flag Options: etc}.
>
> where each  "Class" , "Flag" and "Options" is for each login module
>
> "What" tag/artifact/THING in the j2ee-secure-plan.xml file corresponds
> to "App1" in the preceeding block ?

lets see if I can answer both questions at once, or if I just confuse
things further.

Each line Class Flag Options from (2) corresponds to a LoginModuleGbean
in geronimo, except we take out the flag.

Each App1 corresponds to a GenericSecurityRealm gbean.

We let you reuse a configured login module for several security realms.
  Each GenericSecurityRealm gets a reference to a linked list of
LoginModuleUse gbeans, which supplies the order of login modules and
the Flag for each login module as used in the GenericSecurityRealm.  It
may not be obvious from the j2ee-secure-plan but LoginModuleUse has a
reference to a next LoginModuleUse.

The examples in openejb have an alternate xml syntax that is much
clearer but I'm not sure it is completely approved by everyone.

thanks
david jencks


>
> Michael Malgeri
>  Mgr Gluecode Client Technical Services
>  PHONE: 310-536-8355 x 14
>  FAX: 310-536-9062
>  CELLULAR: 310-704-6403

Reply | Threaded
Open this post in threaded view
|

Re: Security Config File questions

Michael Malgeri

OK, so App1, in the standard jaas.config block,  would correspond to a LoginModuleGbean as you stated. Thanks for clearing that up.

In a business application, would it be correct to say that "App1" might/should be named something like "Human_Resources_App" as opposed to "demo-properties-login"? I realize it has to be named "something" in the plan shipped with the distribution so "demo-properties-login" is OK. I'm just trying to clarify the concepts in my mind.

If I'm correct then the "Human_Resource_App", as a basic composite application, may require multiple authentications to say a properties file for one part of it's functionality, a sql database for another part and an ldap server for yet another part. Each of these logins would be handled by a separate login module, correct?

So the one thing that is still unclear is the fact that each login module, which are JaasLoginModuleUse bean linked together, can have their own separate set of options. The standard jaas.confi file has a 1 to many relationship between "App1" and login modules but I think you're suggesting below there's a one to one relationship, unless I'm reading it wrong.

m

Michael Malgeri
Mgr Gluecode Client Technical Services
PHONE: 310-536-8355 x 14
FAX: 310-536-9062
CELLULAR: 310-704-6403



David Jencks <[hidden email]>

06/10/2005 10:45 AM

Please respond to
dev

To
[hidden email]
cc
Subject
Re: Security Config File questions






On Jun 10, 2005, at 10:26 AM, Michael Malgeri wrote:

>
> Got a couple of security related questions:
>
> 1.  In the following snippet from thej2ee-secure-plan.xml file one of
> possibly many login modules (which are connected by a reference tag)
> are associated with the realm and the other block that appear above
> the realm
>
> <gbean name="demo-properties-login"
> class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
>         <attribute name="controlFlag">REQUIRED</attribute>
>         <reference name="LoginModule">
>             <name>demo-properties-login</name>
>         </reference>
>     </gbean>
>
> Each login module has a Flag, which I see in this case is "REQUIRED"
> But shouldn't each login module have the ability to take "options",
> which I don't see
> Is there an "options"attribute? I know there is an "options" attribute
> in the "LoginModuleGBean" that this block is associate with, but what
> do you do in the case when there are multiple login modules, i.e.
> multiple JaasLoginModuleUse gbeans and they each can have options?
>
> 2.  In a standard JAAS config file, there are "Application blocks"
> that contain groups of login modules. it looks something like
>
> App1{
> Class Flag Options;
>  Class Flag Options: etc}.
>
> where each  "Class" , "Flag" and "Options" is for each login module
>
> "What" tag/artifact/THING in the j2ee-secure-plan.xml file corresponds
> to "App1" in the preceeding block ?

lets see if I can answer both questions at once, or if I just confuse
things further.

Each line Class Flag Options from (2) corresponds to a LoginModuleGbean
in geronimo, except we take out the flag.

Each App1 corresponds to a GenericSecurityRealm gbean.

We let you reuse a configured login module for several security realms.
 Each GenericSecurityRealm gets a reference to a linked list of
LoginModuleUse gbeans, which supplies the order of login modules and
the Flag for each login module as used in the GenericSecurityRealm.  It
may not be obvious from the j2ee-secure-plan but LoginModuleUse has a
reference to a next LoginModuleUse.

The examples in openejb have an alternate xml syntax that is much
clearer but I'm not sure it is completely approved by everyone.

thanks
david jencks


>
> Michael Malgeri
>  Mgr Gluecode Client Technical Services
>  PHONE: 310-536-8355 x 14
>  FAX: 310-536-9062
>  CELLULAR: 310-704-6403


Reply | Threaded
Open this post in threaded view
|

Re: Security Config File questions

David Jencks

On Jun 10, 2005, at 11:26 AM, Michael Malgeri wrote:

>
> OK, so App1, in the standard jaas.config block,  would correspond to a
> LoginModuleGbean as you stated. Thanks for clearing that up.
No!!
App1 corresponds to a GenericSecurityRealm which has a list of login
modules (via the LoginModuleUse gbeans)
>
> In a business application, would it be correct to say that "App1"
> might/should be named something like "Human_Resources_App" as opposed
> to "demo-properties-login"? I realize it has to be named "something"
> in the plan shipped with the distribution so "demo-properties-login"
> is OK. I'm just trying to clarify the concepts in my mind.

yes/
>
> If I'm correct then the "Human_Resource_App", as a basic composite
> application, may require multiple authentications to say a properties
> file for one part of it's functionality, a sql database for another
> part and an ldap server for yet another part. Each of these logins
> would be handled by a separate login module, correct?

yes.
>
> So the one thing that is still unclear is the fact that each login
> module, which are JaasLoginModuleUse bean linked together, can have
> their own separate set of options. The standard jaas.confi file has a
> 1 to many relationship between "App1" and login modules but I think
> you're suggesting below there's a one to one relationship, unless I'm
> reading it wrong.

LoginModuleGBeans have the login module class and the options

GenericSecurityRealm has an (ordered) list of (login module gbean +
option).  Right now these take the slightly awkward form of a linked
list of LoginModuleUse gbeans.

Hope this is a little clearer.

thanks
david jencks

>
> m
>
> Michael Malgeri
>  Mgr Gluecode Client Technical Services
>  PHONE: 310-536-8355 x 14
>  FAX: 310-536-9062
>  CELLULAR: 310-704-6403
>
>
> David Jencks <[hidden email]>
>
> 06/10/2005 10:45 AM
> Please respond to
>  dev
>
> To
> [hidden email]
> cc
> Subject
> Re: Security Config File questions
>
>
>
>
>
>
>  On Jun 10, 2005, at 10:26 AM, Michael Malgeri wrote:
>
>  >
>  > Got a couple of security related questions:
>  >
>  > 1.  In the following snippet from thej2ee-secure-plan.xml file one
> of
>  > possibly many login modules (which are connected by a reference tag)
>  > are associated with the realm and the other block that appear above
>  > the realm
>  >
>  > <gbean name="demo-properties-login"
>  > class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
>  >         <attribute name="controlFlag">REQUIRED</attribute>
>  >         <reference name="LoginModule">
>  >             <name>demo-properties-login</name>
>  >         </reference>
>  >     </gbean>
>  >
>  > Each login module has a Flag, which I see in this case is "REQUIRED"
>  > But shouldn't each login module have the ability to take "options",
>  > which I don't see
>  > Is there an "options"attribute? I know there is an "options"
> attribute
>  > in the "LoginModuleGBean" that this block is associate with, but
> what
>  > do you do in the case when there are multiple login modules, i.e.
>  > multiple JaasLoginModuleUse gbeans and they each can have options?
>  >
>  > 2.  In a standard JAAS config file, there are "Application blocks"
>  > that contain groups of login modules. it looks something like
>  >
>  > App1{
>  > Class Flag Options;
>  >  Class Flag Options: etc}.
>  >
>  > where each  "Class" , "Flag" and "Options" is for each login module
>  >
>  > "What" tag/artifact/THING in the j2ee-secure-plan.xml file
> corresponds
>  > to "App1" in the preceeding block ?
>
>  lets see if I can answer both questions at once, or if I just confuse
>  things further.
>
>  Each line Class Flag Options from (2) corresponds to a
> LoginModuleGbean
>  in geronimo, except we take out the flag.
>
>  Each App1 corresponds to a GenericSecurityRealm gbean.
>
>  We let you reuse a configured login module for several security
> realms.
>   Each GenericSecurityRealm gets a reference to a linked list of
>  LoginModuleUse gbeans, which supplies the order of login modules and
>  the Flag for each login module as used in the GenericSecurityRealm.
>  It
>  may not be obvious from the j2ee-secure-plan but LoginModuleUse has a
>  reference to a next LoginModuleUse.
>
>  The examples in openejb have an alternate xml syntax that is much
>  clearer but I'm not sure it is completely approved by everyone.
>
>  thanks
>  david jencks
>
>
>  >
>  > Michael Malgeri
>  >  Mgr Gluecode Client Technical Services
>  >  PHONE: 310-536-8355 x 14
>  >  FAX: 310-536-9062
>  >  CELLULAR: 310-704-6403
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Security Config File questions

Michael Malgeri

OK, now I think I got it.

One final two-part question...hopefully.

There is a one-to-one association between a LoginModuleGBean  gbean and a JaasLoginModuleUse gbean, correct?

Which property  reference ties the two together?

Is the following

<gbean name="demo-properties-login"   class="org.apache.geronimo.security.jaas.LoginModuleGBean">

tied to the "name" property of this

<gbean name="demo-properties-login" class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">

or to the following reference of the same JaasLoginModuleUse gbean

<reference name="LoginModule">
            <name>demo-properties-login</name>
</reference>

or something else?

Much appreciated


Michael Malgeri
Mgr Gluecode Client Technical Services
PHONE: 310-536-8355 x 14
FAX: 310-536-9062
CELLULAR: 310-704-6403



David Jencks <[hidden email]>

06/10/2005 04:35 PM

Please respond to
dev

To
[hidden email]
cc
Subject
Re: Security Config File questions






On Jun 10, 2005, at 11:26 AM, Michael Malgeri wrote:

>
> OK, so App1, in the standard jaas.config block,  would correspond to a
> LoginModuleGbean as you stated. Thanks for clearing that up.
No!!
App1 corresponds to a GenericSecurityRealm which has a list of login
modules (via the LoginModuleUse gbeans)
>
> In a business application, would it be correct to say that "App1"
> might/should be named something like "Human_Resources_App" as opposed
> to "demo-properties-login"? I realize it has to be named "something"
> in the plan shipped with the distribution so "demo-properties-login"
> is OK. I'm just trying to clarify the concepts in my mind.

yes/
>
> If I'm correct then the "Human_Resource_App", as a basic composite
> application, may require multiple authentications to say a properties
> file for one part of it's functionality, a sql database for another
> part and an ldap server for yet another part. Each of these logins
> would be handled by a separate login module, correct?

yes.
>
> So the one thing that is still unclear is the fact that each login
> module, which are JaasLoginModuleUse bean linked together, can have
> their own separate set of options. The standard jaas.confi file has a
> 1 to many relationship between "App1" and login modules but I think
> you're suggesting below there's a one to one relationship, unless I'm
> reading it wrong.

LoginModuleGBeans have the login module class and the options

GenericSecurityRealm has an (ordered) list of (login module gbean +
option).  Right now these take the slightly awkward form of a linked
list of LoginModuleUse gbeans.

Hope this is a little clearer.

thanks
david jencks

>
> m
>
> Michael Malgeri
>  Mgr Gluecode Client Technical Services
>  PHONE: 310-536-8355 x 14
>  FAX: 310-536-9062
>  CELLULAR: 310-704-6403
>
>
> David Jencks <[hidden email]>
>
> 06/10/2005 10:45 AM
> Please respond to
>  dev
>
> To
> [hidden email]
> cc
> Subject
> Re: Security Config File questions
>
>
>
>
>
>
>  On Jun 10, 2005, at 10:26 AM, Michael Malgeri wrote:
>
>  >
>  > Got a couple of security related questions:
>  >
>  > 1.  In the following snippet from thej2ee-secure-plan.xml file one
> of
>  > possibly many login modules (which are connected by a reference tag)
>  > are associated with the realm and the other block that appear above
>  > the realm
>  >
>  > <gbean name="demo-properties-login"
>  > class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
>  >         <attribute name="controlFlag">REQUIRED</attribute>
>  >         <reference name="LoginModule">
>  >             <name>demo-properties-login</name>
>  >         </reference>
>  >     </gbean>
>  >
>  > Each login module has a Flag, which I see in this case is "REQUIRED"
>  > But shouldn't each login module have the ability to take "options",
>  > which I don't see
>  > Is there an "options"attribute? I know there is an "options"
> attribute
>  > in the "LoginModuleGBean" that this block is associate with, but
> what
>  > do you do in the case when there are multiple login modules, i.e.
>  > multiple JaasLoginModuleUse gbeans and they each can have options?
>  >
>  > 2.  In a standard JAAS config file, there are "Application blocks"
>  > that contain groups of login modules. it looks something like
>  >
>  > App1{
>  > Class Flag Options;
>  >  Class Flag Options: etc}.
>  >
>  > where each  "Class" , "Flag" and "Options" is for each login module
>  >
>  > "What" tag/artifact/THING in the j2ee-secure-plan.xml file
> corresponds
>  > to "App1" in the preceeding block ?
>
>  lets see if I can answer both questions at once, or if I just confuse
>  things further.
>
>  Each line Class Flag Options from (2) corresponds to a
> LoginModuleGbean
>  in geronimo, except we take out the flag.
>
>  Each App1 corresponds to a GenericSecurityRealm gbean.
>
>  We let you reuse a configured login module for several security
> realms.
>   Each GenericSecurityRealm gets a reference to a linked list of
>  LoginModuleUse gbeans, which supplies the order of login modules and
>  the Flag for each login module as used in the GenericSecurityRealm.
>  It
>  may not be obvious from the j2ee-secure-plan but LoginModuleUse has a
>  reference to a next LoginModuleUse.
>
>  The examples in openejb have an alternate xml syntax that is much
>  clearer but I'm not sure it is completely approved by everyone.
>
>  thanks
>  david jencks
>
>
>  >
>  > Michael Malgeri
>  >  Mgr Gluecode Client Technical Services
>  >  PHONE: 310-536-8355 x 14
>  >  FAX: 310-536-9062
>  >  CELLULAR: 310-704-6403
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Security Config File questions

David Jencks

On Jun 10, 2005, at 5:44 PM, Michael Malgeri wrote:

>
> OK, now I think I got it.
>
> One final two-part question...hopefully.
>
> There is a one-to-one association between a LoginModuleGBean  gbean
> and a JaasLoginModuleUse gbean, correct?

actually one to many: you can have lots of JaasLoginModuleUse gbeans
that all refer to the same LoginModuleGBean instance.

We did this in case there is some kind of login module framework that
is expensive or complicated to configure in some way and that you
wanted to use in several realms.

> Which property  reference ties the two together?
>
> Is the following
>
> <gbean name="demo-properties-login"  
> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
>
> tied to the "name" property of this
>
> <gbean name="demo-properties-login"
> class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
>
> or to the following reference of the same JaasLoginModuleUse gbean
>
> <reference name="LoginModule">
>             <name>demo-properties-login</name>
> </reference>

the reference
>
> or something else?
>
> Much appreciated

np
david jencks

>
>
> Michael Malgeri
>  Mgr Gluecode Client Technical Services
>  PHONE: 310-536-8355 x 14
>  FAX: 310-536-9062
>  CELLULAR: 310-704-6403
>
>
> David Jencks <[hidden email]>
>
> 06/10/2005 04:35 PM
> Please respond to
>  dev
>
> To
> [hidden email]
> cc
> Subject
> Re: Security Config File questions
>
>
>
>
>
>
>  On Jun 10, 2005, at 11:26 AM, Michael Malgeri wrote:
>
>  >
>  > OK, so App1, in the standard jaas.config block,  would correspond
> to a
>  > LoginModuleGbean as you stated. Thanks for clearing that up.
>  No!!
>  App1 corresponds to a GenericSecurityRealm which has a list of login
>  modules (via the LoginModuleUse gbeans)
>  >
>  > In a business application, would it be correct to say that "App1"
>  > might/should be named something like "Human_Resources_App" as
> opposed
>  > to "demo-properties-login"? I realize it has to be named "something"
>  > in the plan shipped with the distribution so "demo-properties-login"
>  > is OK. I'm just trying to clarify the concepts in my mind.
>
>  yes/
>  >
>  > If I'm correct then the "Human_Resource_App", as a basic composite
>  > application, may require multiple authentications to say a
> properties
>  > file for one part of it's functionality, a sql database for another
>  > part and an ldap server for yet another part. Each of these logins
>  > would be handled by a separate login module, correct?
>
>  yes.
>  >
>  > So the one thing that is still unclear is the fact that each login
>  > module, which are JaasLoginModuleUse bean linked together, can have
>  > their own separate set of options. The standard jaas.confi file has
> a
>  > 1 to many relationship between "App1" and login modules but I think
>  > you're suggesting below there's a one to one relationship, unless
> I'm
>  > reading it wrong.
>
>  LoginModuleGBeans have the login module class and the options
>
>  GenericSecurityRealm has an (ordered) list of (login module gbean +
>  option).  Right now these take the slightly awkward form of a linked
>  list of LoginModuleUse gbeans.
>
>  Hope this is a little clearer.
>
>  thanks
>  david jencks
>
>  >
>  > m
>  >
>  > Michael Malgeri
>  >  Mgr Gluecode Client Technical Services
>  >  PHONE: 310-536-8355 x 14
>  >  FAX: 310-536-9062
>  >  CELLULAR: 310-704-6403
>  >
>  >
>  > David Jencks <[hidden email]>
>  >
>  > 06/10/2005 10:45 AM
>  > Please respond to
>  >  dev
>  >
>  > To
>  > [hidden email]
>  > cc
>  > Subject
>  > Re: Security Config File questions
>  >
>  >
>  >
>  >
>  >
>  >
>  >  On Jun 10, 2005, at 10:26 AM, Michael Malgeri wrote:
>  >
>  >  >
>  >  > Got a couple of security related questions:
>  >  >
>  >  > 1.  In the following snippet from thej2ee-secure-plan.xml file
> one
>  > of
>  >  > possibly many login modules (which are connected by a reference
> tag)
>  >  > are associated with the realm and the other block that appear
> above
>  >  > the realm
>  >  >
>  >  > <gbean name="demo-properties-login"
>  >  > class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
>  >  >         <attribute name="controlFlag">REQUIRED</attribute>
>  >  >         <reference name="LoginModule">
>  >  >             <name>demo-properties-login</name>
>  >  >         </reference>
>  >  >     </gbean>
>  >  >
>  >  > Each login module has a Flag, which I see in this case is
> "REQUIRED"
>  >  > But shouldn't each login module have the ability to take
> "options",
>  >  > which I don't see
>  >  > Is there an "options"attribute? I know there is an "options"
>  > attribute
>  >  > in the "LoginModuleGBean" that this block is associate with, but
>  > what
>  >  > do you do in the case when there are multiple login modules, i.e.
>  >  > multiple JaasLoginModuleUse gbeans and they each can have
> options?
>  >  >
>  >  > 2.  In a standard JAAS config file, there are "Application
> blocks"
>  >  > that contain groups of login modules. it looks something like
>  >  >
>  >  > App1{
>  >  > Class Flag Options;
>  >  >  Class Flag Options: etc}.
>  >  >
>  >  > where each  "Class" , "Flag" and "Options" is for each login
> module
>  >  >
>  >  > "What" tag/artifact/THING in the j2ee-secure-plan.xml file
>  > corresponds
>  >  > to "App1" in the preceeding block ?
>  >
>  >  lets see if I can answer both questions at once, or if I just
> confuse
>  >  things further.
>  >
>  >  Each line Class Flag Options from (2) corresponds to a
>  > LoginModuleGbean
>  >  in geronimo, except we take out the flag.
>  >
>  >  Each App1 corresponds to a GenericSecurityRealm gbean.
>  >
>  >  We let you reuse a configured login module for several security
>  > realms.
>  >   Each GenericSecurityRealm gets a reference to a linked list of
>  >  LoginModuleUse gbeans, which supplies the order of login modules
> and
>  >  the Flag for each login module as used in the GenericSecurityRealm.
>  >  It
>  >  may not be obvious from the j2ee-secure-plan but LoginModuleUse
> has a
>  >  reference to a next LoginModuleUse.
>  >
>  >  The examples in openejb have an alternate xml syntax that is much
>  >  clearer but I'm not sure it is completely approved by everyone.
>  >
>  >  thanks
>  >  david jencks
>  >
>  >
>  >  >
>  >  > Michael Malgeri
>  >  >  Mgr Gluecode Client Technical Services
>  >  >  PHONE: 310-536-8355 x 14
>  >  >  FAX: 310-536-9062
>  >  >  CELLULAR: 310-704-6403
>  >
>  >
>
>